Daikin Emura Series – Arbitrary Remote Control via DNS Rebinding

There is a lot of hype around DNS rebinding vulnerability and vulnerable IoT devices, including home cameras, air conditioners or climate control devices; this flaw will cover the lack of origin checking on HTTP requests.

DNS Rebinding Attack

DNS Rebinding allows an attacker who has control on a DNS server to communicate with a device connected to the internal network of the victim.

Normally, these kind of attacks are mitigated by the Same-Origin policy header, implemented by most of the browsers, that will block every attempt to load external content that does not belong to the original domain.

The idea of the attack is to configure an evil DNS server that will respond to a specific A query and will return two IPs for two consecutive requests; the first one will return the attacker’s IP with a short TTL (1 sec), the second one will return the original IP of the device.

Since most browsers use different caching systems with different expiration times, a minimum amount of seconds is needed to perform the attack. In order to achieve a perfect exploitation scenario, the victim needs to stay on the attacker’s website for at least 60 seconds (on Firefox, it may change with other browsers).

The attack

First, we configure the DNS server using FakeDns tool; we just need one entry for our attack scenario.

NOTE: In our PoC we used NAT addresses, an internet address can be used for the fake DNS server.

Now the evil DNS server will respond to A query for rebind-example.voidzone.it host, the first parameter before the ‘%’ is the TTL.

Next step is to build an HTML page, entertaining our user with a youtube video and waiting for the timeout; when this occurs, an XMLHttpRequest is sent to the device.